nixos/pam: clean up rules

Makes the rules more uniform in structure and style. This makes it easier to automate subsequent commits. No behavior changes.
author: Majiir Paktu <majiir@nabaal.net> 2023-09-24 15:39:21 -0400
committer: Majiir Paktu <majiir@nabaal.net> 2023-09-24 18:37:10 -0400
commit: dd458977a005ed068d8b2fe1664049b9092e2d22 (patch)
tree: f833c8c139fa8e089c0fad906f7456a54bec913b /nixos/modules/security/pam.nix
parent: 0ca24a8dbe73a4cbef6fb2ded5bb3e5fd666a60c (diff)
1 files changed, 16 insertions, 22 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index d83259ccbebc1..a28ee276ce3ab 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -484,14 +484,11 @@ let
           optionalString cfg.mysqlAuth ''
             account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf
           '' +
-          optionalString (config.services.kanidm.enablePam) ''
+          optionalString config.services.kanidm.enablePam ''
             account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user
           '' +
-          optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
-            account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
-          '' +
-          optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) ''
-            account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so
+          optionalString config.services.sssd.enable ''
+            account ${if cfg.sssdStrictAccess then "[default=bad success=ok user_unknown=ignore]" else "sufficient"} ${pkgs.sssd}/lib/security/pam_sss.so
           '' +
           optionalString config.security.pam.krb5.enable ''
             account sufficient ${pam_krb5}/lib/security/pam_krb5.so
@@ -532,10 +529,9 @@ let
           (let p11 = config.security.pam.p11; in optionalString cfg.p11Auth ''
             auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so
           '') +
-          (let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth (''
-              auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ''
-                + ''${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"}
-          '')) +
+          (let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth ''
+            auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"}
+          '') +
           optionalString cfg.usbAuth ''
             auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
           '' +
@@ -593,13 +589,13 @@ let
                 auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive
               '' +
               optionalString cfg.enableKwallet ''
-               auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
+                auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
               '' +
               optionalString cfg.enableGnomeKeyring ''
                 auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so
               '' +
               optionalString cfg.gnupg.enable ''
-                auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"}
+                auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly "store-only"}
               '' +
               optionalString cfg.failDelay.enable ''
                 auth optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay}
@@ -641,7 +637,8 @@ let
           '' +
           optionalString config.services.homed.enable ''
             password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
-          '' + ''
+          '' +
+          ''
             password sufficient pam_unix.so nullok yescrypt
           '' +
           optionalString config.security.pam.enableEcryptfs ''
@@ -687,12 +684,9 @@ let
           optionalString cfg.setLoginUid ''
             session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so
           '' +
-          optionalString cfg.ttyAudit.enable (concatStringsSep " \\\n  " ([
-            "session required ${pkgs.pam}/lib/security/pam_tty_audit.so"
-          ] ++ optional cfg.ttyAudit.openOnly "open_only"
-          ++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"
-          ++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"
-          )) +
+          optionalString cfg.ttyAudit.enable ''
+            session required ${pkgs.pam}/lib/security/pam_tty_audit.so ${optionalString cfg.ttyAudit.openOnly "open_only"} ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"} ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"}
+          '' +
           optionalString config.services.homed.enable ''
             session required ${config.systemd.package}/lib/security/pam_systemd_home.so
           '' +
@@ -753,16 +747,16 @@ let
           optionalString (cfg.enableAppArmor && config.security.apparmor.enable) ''
             session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
           '' +
-          optionalString (cfg.enableKwallet) ''
+          optionalString cfg.enableKwallet ''
             session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
           '' +
-          optionalString (cfg.enableGnomeKeyring) ''
+          optionalString cfg.enableGnomeKeyring ''
             session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
           '' +
           optionalString cfg.gnupg.enable ''
             session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"}
           '' +
-          optionalString (config.virtualisation.lxc.lxcfs.enable) ''
+          optionalString config.virtualisation.lxc.lxcfs.enable ''
             session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all
           ''
         );
author	Majiir Paktu <majiir@nabaal.net>	2023-09-24 15:39:21 -0400
committer	Majiir Paktu <majiir@nabaal.net>	2023-09-24 18:37:10 -0400
commit	dd458977a005ed068d8b2fe1664049b9092e2d22 (patch)
tree	f833c8c139fa8e089c0fad906f7456a54bec913b /nixos/modules/security/pam.nix
parent	0ca24a8dbe73a4cbef6fb2ded5bb3e5fd666a60c (diff)